Skip to content

Commit

Permalink
doc: document how to use the container selector
Browse files Browse the repository at this point in the history 
This change describes how to use the container selector in tracing
policies. Also, this change renames the "K8s namespace and pod label
filtering" page to "K8s Policy Filtering" to make the name more generic.

Fixes: #1879

Signed-off-by: Oleh Neichev <[email protected]>
  • Loading branch information
@BonySmoke
BonySmoke committed Mar 23, 2024
1 parent 8048426 commit 9b7ce77
Showing 1 changed file with 11 additions and 6 deletions.
17 changes: 11 additions & 6 deletions docs/content/en/docs/concepts/tracing-policy/k8s-filtering.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,15 @@ action the Tetragon agent should perform when the specified situation occurs. Th
is generating an event, but there are others (e.g., returning an error without executing a function,
or killing the corresponding process).

Here we discuss how to apply tracing policies only on a subset of pods running on the system via
two mechanisms: namespaced policies, and pod-label filters. Tetragon implements both mechanisms
in-kernel via eBPF. This is important for both observability and enforcement use-cases. For
observability, copying only the relevant events from kernel- to user-space reduces overhead. For
Here we discuss how to apply tracing policies only on a subset of pods running on the system via
the followings mechanisms:
- namespaced policies
- pod-label filters
- container field filters

Tetragon implements these mechanisms in-kernel via eBPF. This is important for both observability
and enforcement use-cases.
For observability, copying only the relevant events from kernel- to user-space reduces overhead. For
enforcement, performing the enforcement action in the kernel avoids the race-condition of doing it
in user-space. For example, let us consider the case where we want to block an application from
performing a system call. Performing the filtering in-kernel means that the application will never
Expand Down Expand Up @@ -328,7 +333,7 @@ kubectl exec -it lseek-pod -c sidecar -- python3
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: [Errno 9] Bad file descriptor
>>>
>>>
```

But containers matching the name `main` will:
Expand All @@ -339,5 +344,5 @@ kubectl exec -it lseek-pod -c main -- python3
```
>>> import os
>>> os.lseek(-1, 0, 0)
Killed
command terminated with exit code 137
```

0 comments on commit 9b7ce77

Please sign in to comment.